Jim Butterworth | To protect networks, know thy data

By William Jackson

Feb 18, 2009

Jim Butterworth is Guidance Software’s director of incident response and federal services, but he focuses as much on preventing incidents as responding to them. He stresses a proactive approach to information assurance that begins with visibility and awareness.

He served more than 20 years in the Navy, including two tours in the Fleet Information Warfare Center at the Navy Center of Excellence for Information Warfare. Since joining Guidance, he has worked with incident response teams in the Defense Department and other U.S. agencies, and with foreign countries and NATO. “I see the same things repeated in all of them,” he said. “They carry different flags, but the problems are universal.”

GCN: Data breaches have become an increasingly high-profile issue in recent years. Is the problem becoming worse?

JIM BUTTERWORTH: The answer to that is twofold. First, due to the increased media reporting and the rise in public awareness, it has become a hot-button issue. And frankly, it’s a matter of public safety. What has become painfully apparent is that there is not a single industry that is immune to this problem. It has been my experience, however, that the commercial sector does a better job of protecting not only information, but their intellectual property as well.

GCN: Why is that?

BUTTERWORTH: I think they are better at quantifying the risk. The measure that they use is financial loss. It’s real, and there are heavy sanctions that are going to be imposed by their industry regulators. How does one bring a claim against a government agency for allowing a data breach to occur? I think the government does a decent job of holding everyone else accountable, but not always themselves.

GCN: What is the second reason for the high profile of data breaches?

BUTTERWORTH: Many security experts would agree with me when I say that the number of incidents being reported is mere fraction of the incidents that are actually occurring. This is because of the fear of public disclosure and the corresponding loss of public confidence; plus you can’t discount the possibility that these companies and agencies aren’t even aware that they’ve been breached. Is the problem becoming worse? Well, as of this interview [Jan. 22], PrivacyRights.org has compiled a list of 14 breaches this year, and within the last couple of days we have caught wind of the Heartland Bank having potentially the largest breach. What’s frustrating to a provider of solutions is the repeated cycle of exposure and the failure to secure the data. There is a black market for this information, and as long as there is an entity willing to pay for that information, we are going to continue to have a problem.

GCN: The Office of Management and Budget has prescribed steps to help agencies better protect personally identifiable information. How good a job are agencies doing at it?

BUTTERWORTH: I would give them high marks for establishing policies that recognize the importance of protecting the data, but I would give them low marks in their ability to actually execute on it. At the highest Cabinet positions, their goals are very well intentioned -- and that is, to protect the public, protect our research and protect our national secrets. They get it. The breakdown that I witness is in the implementation of the safeguards. We continue to emphasize access control and perimeter security, yet how do you apply access controls to an object you don’t even know exists? Or why are you relying on detecting data in motion? Isn’t that too late? The single biggest challenge in this problem is enabling the stewards of our data to identify, locate and remediate errant data.

It’s not our servers and data warehouses that are getting us into trouble. It is the data that exists on our networks that we don’t know about. It’s the employees who are storing things to their laptops and their workstations, the engineers who are making copies of their intellectual property off of the server. We need a fundamental shift in our approach to the problem. We need to ask ourselves how does the justice system go about locating information, and then model that capability to protecting our information. You can’t expect anyone to protect something they don’t know exists.

GCN:Is it necessary for agencies and other organizations to hold all of the sensitive data they do?

BUTTERWORTH: Ultimately that is up to the individual agencies to decide. I would encourage them to review their data retention policies, audit the data that is on their networks to see if they are within that policy, and then enforce the policy by either archiving or remediating the data. Rarely can a system administrator report the contents of a system with any accuracy beyond anything that is on a baseline image used to build the system in the first place. They don’t really know what’s on their systems. How can you determine the risk when after you roll the baseline image out, you stop paying attention to the device?

GCN: What is the greater risk: data at rest or in transit?

BUTTERWORTH: From my experience, it is the data at rest and the opportunity of the insider’s exploitation that poses the greatest risk. We permit access to insiders. That is the essence of a network. With that access comes exposure. How you control or audit that exposure ultimately determines your risk.

GCN:How do you protect against internal threats when most of our defenses are facing outward?

BUTTERWORTH: Ronald Reagan used an old Russian proverb that translates to: Trust, but verify. I think we should adopt a similar stance with regard to our data and our insiders. We grant them access, but shouldn’t we occasionally audit them to ensure that the access and the things they are doing aren’t being abused? The technology side of it is to implement multiple security layers consisting of a hybrid of solutions: some perimeter checks, access controls [and] you should look into encryption. But most importantly, you should have endpoint visibility. It ensures a good mix of detection coupled with good mitigation.

GCN:How do you identify risks before you are attacked?

BUTTERWORTH: You can’t make a determination of risk on the unknown. When you’re talking about data breaches, it is the data that is the risk. What often is done to cut exposure and your risk is to declare that, I may not know where everything is, but I can certainly control the gateway. This is what has led us to concentrating on perimeter solutions. But if you can be 100 percent certain that no critical information sits where it isn’t supposed to be, doesn’t the job of defending the network become easier? I hope that 2009 becomes the year of the endpoint, where organizations and agencies begin to recognize that the solution to their risk is in identifying the data, classifying it appropriately and then taking action on its disposition.

GCN: Security being imperfect, breaches are bound to occur. How can you spot a breach or possible breach before it becomes a problem?

BUTTERWORTH: Computers leave telltale artifacts behind that coincide with a specific action. A computer will not do something that it was not either programmed or asked by a user to do. So by searching for and identifying these artifacts early, an examiner can then make a determination as to the intent of what he is seeing. A skilled examiner equipped with the right tools can differentiate between normal computer behavior and an anomaly. Recognizing these anomalies early can provide a good indication and warning of impending activity. There are plenty of triggers out there that we should be exploiting.

GCN:What are the relative strengths of access controls and encryption in securing information?

BUTTERWORTH: They are both very well-suited for the purpose they were designed for. Both of those solutions are endpoint-centric. Access controls are well-suited to either allow or deny access to an object, as laid out by policy. Their weakness is that an access control implicitly is assigned to something that you know about. How do you supply a secure access control to errant data?

Encryption comes in many forms, such as data-in-motion, full-disk, file-based and so on. Our ability to encipher data in all of these forms is the strength of encryption. A weakness is the challenge of auditing that data, an unintentional consequence of encrypting it. You should not have to crack encryption to find out what the data is. The key is the integration of tools with encryption vendors so that you can have endpoint visibility and access the data legitimately. Guidance Software has been working with many encryption vendors to allow authorized users to see the data in an unencrypted format. Integrating the two solutions so they are not circumventing each other lessens the weakness of encryption.

GCN: You stress prevention. How important is response and forensics after the fact?

BUTTERWORTH: They are both vital. Unless an organization is able to learn from history, it is bound to repeat it. What an agency gains from incident response and forensics is a deeper technical understanding about the tactics, techniques and procedures of our enemies. There is a fine line between gains and losses with regards to how quickly an agency should put an asset back online. What they should consider is whether it is more important to their mission to put the system back online versus potentially losing opportunities forever to learn about what happened. How did the enemy get in? What did they take? There are many reasons an agency would desire to return to full operational capability as quickly as they can. I am not advocating that every computer be examined every time. I am advocating a process be put in place that allows those responsible for the mission to make that determination.

There is a psychological impact when an agency announces that it is adopting forensic technology throughout the infrastructure. It puts teeth to the consent-to-monitoring clause that is on every federal warning banner. It becomes a fantastic deterrent. But it has been my experience that the skilled practitioners who can do incident response and forensics are few and far between. Our agencies would be well served to identify people, train them and take this seriously.